Q&A with fraud prevention consultant Brett Johnson

Brett Johnson, a former most wanted cybercriminal, now advises Fortune 1000 companies on how to spot and prevent fraud. Brett participated in the SVB Fraud Prevention Webcast: Confessions of a Fraudster in October 2018. SVB’s Fraud Strategy Manager, Linda Nguyen recently asked Brett for his insights based on the most frequent listener questions from the webcast.

Brett, what are common pitfalls for companies, and how can they protect themselves?

The number one thing is understanding where your products and services fit in the fraud spectrum. Different products have different vulnerabilities. For example, if you sell virtual items, credit card numbers will automatically match valid shipping addresses. If you sell and ship physical goods, the billing and shipping addresses may differ. Cyber criminals will ship a product to another address, or they may contact the shipper to divert shipment. For both virtual and physical products, criminals can bypass security by calling customer service from an actual customer’s phone number. When the customer service representative sees that the phone number matches the number on file for that client, he assumes he’s talking to the customer. A criminal can then convince the service representative to provide account information and change delivery addresses.

How do cyber criminals use “spear phishing” email tactics to defraud a company?

Spear phishing is roughly 80 percent successful, causing annual business losses of $12.5 billion. A fraudster finds an accounts receivable employee (the target) and he collects his or her email address on a socale media site such as LinkedIn. The fraudster is then ready to spear phish. The fraudster sends a well designed but fake email containing malware to the targeted individual in order to gain access to that target’s email account. The fraudster can then read every email message and capture the email addresses of the target’s vendors. The fraudster sets up a dummy email domain with one tiny difference from the actual email address. Next, the fraudster creates a fake email to one of the vendors that mimics the language of the target’s messages, and asks the vendor to send him an invoice. The fraudster can use the sample invoice to request payments from the target’s other legitimate vendors and reroute payments to himself.

What is the best way to mitigate attacks once attackers are inside my systems?

Phishing relies heavily on people using the same passwords across multiple logins. So, the number one recommendation is to use secure, unique passwords on every account. You can also use a password manager or security key. Once an attacker has your information, if you know what data he has accessed, you can prevent future attacks by changing those passwords.

What can you do if you’re hacked, and how do hackers find vulnerabilities?

Attackers rely on software update gaps, because people are slow to implement them. Think of a security update notification as a broadcast to the cyber criminals on the planet, telling them which doors to knock on for access. Another weak point is default passwords. It’s estimated that 41 percent of every single router still has the default password in place. So it’s important for companies to implement password security and update policies on all systems, servers, and all employees.

Are identity monitoring services effective?

People are initially extremely diligent about security, but then naturally get lazy. A monitoring company guards against that. There are both free and paid services. With either option, I suggest finding a company that uses real-time data rather than historical data to detect breaches. The monitoring firm should also monitor information from multiple data sets, not just a single source, as this allows for cross-referencing to discover and repair potentially inaccurate data.

Do you recommend removing social media profiles such as Facebook or LinkedIn?

Social media is not going away, but people should keep their profiles private. Criminals use Facebook and LinkedIn as databases to get information such as home address and date of birth. Also, be aware of who's requesting to be a friend. Is it really someone you know? If not, you’re likely giving a criminal access to your information.

Should I place a credit freeze for my children?

Children are the likely victims of identity theft, one in four children’s identities suffer hacking attempts. I recommend freezing your child’s credit with Experian, TransUnion, and Equifax as soon as your child is issued a Social Security Number. This freeze can help stop new account fraud for that SSN. Only you can lift that freeze. If not, you may not know your children are victims until they apply for credit years later.

What are your thoughts on crypto-currency related fraud?

Someone asked the 1930s bank robber Willie Sutton, “Why do you rob banks?” He answered, "That's where the money is." And that’s why criminals target crypto-currencies like bitcoin, it’s where the money is. Criminals know blockchain is extremely secure, so instead of trying to break through, they compromise the human instead by porting phone numbers and registering social media accounts in currency names. So again, it's social engineering of a human rather than a system.

Any final thoughts for our webcast listeners?

Yes. It's your job to be proactive with your security. Don't rely 100 percent on an outside service, and always be proactive — cyber criminals rely on your complacency to commit fraud.


For more information insights on how to prevent fraud

  • Read the SVB Webcast article summary
©SVB Financial Group. All rights reserved. Silicon Valley Bank is a member of the FDIC and of the Federal Reserve System. Silicon Valley Bank is the California bank subsidiary of SVB Financial Group (Nasdaq: SIVB). SVB, SVB FINANCIAL GROUP, SILICON VALLEY BANK, MAKE NEXT HAPPEN NOW and the chevron device are trademarks of SVB Financial Group, used under license.

This material is provided for informational purposes only. The conclusions expressed are based upon limited information available to Silicon Valley Bank regarding your company's fraud detection and prevention programs, and should not be seen as a substitute for obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.   

Brett Johnson and AnglerPhish are independent third-parties not affiliated with SVB Financial Group. Any views or opinions expressed by Brett Johnson are his own and do not necessarily reflect the official policy or position of SVB Financial Group.


About the Author

Rob is SVB's Deputy Bank Secrecy Act (BSA) Officer, responsible for fraud and anti-money laundering investigations. He has spent more than 20 years in banking focused on risk management, information technology, and decision science. Prior to joining SVB, Rob served as the manager of operations for Financial Crimes Investigations with Wells Fargo Bank.